Projects

ASLR serves as the base exploit mitigation technology upon which further mitigations are built. ASLR changes the memory layout such that if an attacker knows a program has a vulnerability, the attacker won't know where the vulnerability lies in memory since the memory layout has been randomized. This makes life extremely difficult for the attacker. HardenedBSD's implementation of ASLR is the strongest implemented in any of the BSDs.

PaX-Inspired SEGVGUARD

In some cases, ASLR can be defeated. Techniques known as ROP (and ROP's variants) can defeat ASLR, given an information leakage vulnerability that leaks memory addresses. An attacker can generate a ROP payload on-the-fly using a technique called BROP. However, BROP generally takes a few tries to get right, causing the application to crash with each try. If the application being attacked is configured to respawn in case of crashes, an attacker can automate ROP payload generation. SEGVGUARD helps protect against this brute-force method of defeating ASLR by preventing the restart of applications who crash via a segmentation fault (SIGSEGV) multiple times within a given period.

PaX-inspired mprotect and pageexec hardening (aka, NOEXEC)

Memory allocations can have three permissions set: Read, Write, EXecute. An attacker will generally try to place his malicious code in a spot in memory that is both writable and executable. NOEXEC prevents the creation of memory allocations that have both the writable and execute permissions set. If an allocation is created as writable, it can never be marked as executable. If is created as executable, it can never be marked as writable. Most notable offenders of NOEXEC are applications with a Just-In-Time (JIT) compiler, like Firefox, Chromium, and Java.

procfs can serve as an interesting attack vector. We hardened procfs and linprocfs to prevent attackers from controlling processes by manipulating key files in [lin]procfs. These files are generally used for debugging purposes. Attempts to write to these debugging files will generate an error.

secadm - HardenedBSD Security Administration

secadm is a tool specific to HardenedBSD that lets you toggle various exploit mitigation features on a per-application, per-jail basis. Like mentioned above, applications like Firefox and Chromium dislike NOEXEC and will crash or exhibit errors if NOEXEC is enabled for them. secadm can be used to disable NOEXEC for those applications. Similarly, if an application misbehaves with other exploit mitigation features, like ASLR, that feature can be turned off just for that application.

Additionally, secadm includes a feature called Integriforce--file INTEGRity enFORCEment. Integriforce allows a system administrator to ensure file integrity through hash enforcement--similar in concept to NetBSD's Veriexec. Integriorce can be set in whitelisting mode, turning Integriforce into a verified application whitelisting tool.